Incorporating Web Application Security Testing Into Your Quality Assurance Process

Many companies are under the impression that testing for Web application security simply involves a cursory check for easy-to-guess usernames and passwords. Yet application security testing can and should involve more complex checks, such as testing for SQL injection and Cross-Site Scripting. Often this sort of review does not happen until the Web application is in production, when it is too late to stop a hacker or a malicious program from attacking and much more expensive to remediate the vulnerability.

Quality assurance departments have traditionally focused on functional testing - making sure that an application works properly and performs all of its necessary tasks seamlessly. However, as Web application security becomes more important, your QA department is more likely to be a critical participant in application security testing.

Getting Your QA Department Involved

There are three ways that your Quality Assurance department may become involved with Web application security testing:

Your company’s Web security experts request that application security testing be done by the QA group to ensure that all fixes have been implemented and no security holes exist prior to releasing the product to production.
Your compliance officer, facing concerns about SOX, HIPAA, PCI, and so on, requests that further application security testing is performed during the QA process.
Your QA department themselves request involvement with testing for Web application security, because an application that has security holes in it is not going to be perceived as high-quality by users.

No matter how the department gets involved, certain steps will need to be taken to establish the application security testing process. It will need to be determined whether there will be specific, dedicated staff members who will be performing Web application security testing, or whether the task will be dispersed throughout your entire QA group. In addition, the timing of Web application security testing during the Quality Assurance process will need to be managed. Ideally, application security testing will be performed as early as possible, so that developers can fix any security issues in a timely manner, without compromising the project’s schedule. Finally, the right software for application security testing will need to be selected and implemented.

Choosing the Right Tool for Web Application Security Testing

The QA department will need application security testing software that is able to perform three different types of testing: as a non-authenticated user, an authenticated user, and an administrative user, to determine the vulnerabilities inherent in each user class. Additionally, the Web application security tool should be able to perform both automated and manual crawling/spidering of your Web application.

Automated application security testing software will spider the entire application by clicking every button and link, filling out data fields to identify the structure of the program, and then audit each page for vulnerabilities. It should do this from the outside in, reviewing each portion of the site the way an external hacker might, ideally from behind the scenes. This comprehensive approach is valuable to ensure that all security holes have been identified and can be fixed. On the down side, it can also produce false positives, and it may not be able to access all of your Web pages due to the way that certain pages are coded.

Manual testing allows a user to focus on specific pathways or tasks on a Web site while the software follows silently behind, tracking the process. The program can then audit the particular path that the user has taken for security vulnerabilities and provide a report. Manually crawling an application can be time consuming, but it also ensures that specific pages are tracked and analyzed.

Basic Guidelines for Choosing an Application Security Testing Product

The following basic questions should be addressed when you are looking for a Web application security testing product:

How easy is the product to use?
What kind of training will your Quality Assurance department require in order to properly use the product?
How well does the product integrate into the tools and software that are already used by your organization?
How often is the product updated with new security checks – daily, weekly, monthly?
What is the false positive rate of the product? While no product is perfect, you want to find a product with as a low a rate as possible so that your resources are not wasted going through false positives.
What partnerships does the company that has created the product have in place? Are they partnered with IBM, Microsoft, or Mercury? Note that the more partnerships a company has, the more likely the Web application security product will be integrated with commonly used systems and products.
Does the product appear to evaluate each page of your application or does it get stuck on certain pages?
Does the Web application security product allow the end-user to easily modify scan settings?
What kinds of restrictions are in the product’s license?
In which formats are reports offered (PDF, HTML, XML)? Are they easy to read? Do they contain information on the location of the vulnerability, how to execute it, how to verify it, and how to fix it?
Will the company allow you to evaluate the product before committing to purchase it? Confident vendors will often provide a seven-to-fifteen-day evaluation period.

Conclusion

Web application security is of major importance, and your Quality Assurance department needs to be involved in order to ensure that your final product is free of security defects. By implementing the proper tools and establishing application security testing early in the Quality Assurance process, many last-minute security problems will be avoided and you can be confident that you are releasing secure, robust applications.

About the Author

Ryan English is the group product manager for SPI Dynamics, where he oversees product strategy and direction for the company’s QAInspect Quality Assurance Security testing product line. Ryan is a seasoned speaker on the topic of Web application security testing and has spoken at several Quality Assurance industry events, including Mercury World 2005, STAREAST 2006, and the 2006 IBM Rational Conference.